The DPM-AD scheme

2.4.1 The coding of marks

To solve the problems encountered in the above two situations, a modified hash-based DPM scheme was proposed in [16], and for convenience, we call this scheme DPM-AD. In this modified scheme, the 17 bits are divided into three fields:

-bit digest field, -bit address bits field, and -bit segment number field. An IP address, possibly with padding bits, is divided into

d a s

2^s

k= segments and each segment contains bits. And the digest field of the mark from same router interface will always remain the same so that the victim can reconstruct the interface addresses by associating address segments with the same digest. Figure 2-2 shows the schematics of the DPM-AD scheme. Each of the marks has address bits set to a different segment of the ingress address, and the segment number field will be set to the appropriate value. When a packet is received by a router, a mark is randomly selected with probability and is used to replace the packet ID field and the RF bit. It is possible to assign different values to , , and as long as the values satisfy

and .

Figure 2-2. The schematics of the DPM-AD scheme [16]

2.4.2 The reconstruction process

The reconstruction procedure of this scheme is divided into two parts. Firstly, the victim set the appropriate bits in RecTbl to indicate which marks arrived to the destination. A reconstruction table RecTbl is a bit structure and consists of area. Each area has segments, and each segment consists of bits. Figure 2-3 shows an example of RecTbl, where , , and are 16, 11, and 2, respectively. When the victim receives an attack packet, the digest is extracted from the mark and the area where the bit will be set is determined. The segment number field in the mark indicates the segment in the RecTbl area, and the value of address bits in the mark indicates the actual bits. Therefore, every certain bit in RecTbl indicates if the corresponding mark arrived to the victim. Secondly, to create permutations of segment, one segment has to be combined with other segments of the

217

2^d k 2^a

k d a

same area. Then, the hash function is applied to each of these permutations. If the result matched to the area number, the permutation is considered a valid ingress address.

Figure 2-3. An example of RecTbl, where , , and are 16, 11, and 2, respectively.[16]

k d a

2.4.3 Performance analysis

Obviously, even with an ideal hash function, false positive is inevitable if the number of simultaneous attackers is greater than . The authors evaluated the maximum number of attackers the DPM-AD scheme can tolerate under the constraint that the average number of false positives is less than 1% of . The authors claim that the expected number of different values of a segment can be thought of as the expected number of the faces turning up on a -sided die after

N 2^d

N

2^a N 2^d throws and

the expected value is

And then the expected number of permutations that result in a given digest for a given area of the RecTbl is

Therefore, the total number of permutations is obtained by multiplying the number of false positive for a single area by the number of areas, . And the total number of false positives would be the total number of permutations less the number of valid ingress address. Under the condition that the number of false positives is less than 1%

of , the following inequality has to be solved for :

And finally the maximum N , which would satisfy this inequality, N_MAX, can be calculated. Moreover, the expected number of datagrams, E D , required to be

[ ]

marked by one interfaces in order for the victim to reconstruct its interfaces address is given by a Coupon Collector Problem:

[ ]

[ ]

E D . [16]

Table 2-1. Relationship between a, k, s, d, N_MAX, and ^{E D}

[ ]

2.4.4 Problems

However, the calculation of the average number of false positives from the authors of DPM-AD scheme is too optimistic. In fact, the number of ingress router interfaces in the Internet, denoted as M , is much larger than the number of simultaneous attackers involved in an attack. With an ideal hash function that generates a d -bit digest, these M interfaces can be divided into 2 equal-size groups such that two interfaces are in the same group if and only if their digests are identical. The analysis presented in [16] assumed that on average

d

2^d

N interfaces are selected from each group, for example, with d = and 11 N =2048, one interface is selected from each group and thus there is no digest collision. A more realistic assumption is to select randomly N interfaces out of M . Under this assumption, digest collision and false positives will happen because it is possible to select multiple interfaces from the same group. And unfortunately, the number of false positives could be very large in this case. For example, consider the scenario with ,

, and . If two interfaces are selected from the same group, then the number of possible combinations of address segments could be as large as (every segment 11 d = 2

a= s=4

216

has two address bits set to 1). Since the digest is only 11 bits, the average number of false positives is 2¹⁶ 2¹¹− =2 30. The evaluation presented in the Appendix shows that the average number of false positives is about 47.18% when and

with

4096 M = 1024

N = d = , 11 a=2, s= . Therefore, when attackers spread uniformly 4 over the Internet, the DPM-AD is not as scalable as was claimed in [16].